Two-Tier Subagent Permission Scoping

• Entity ID: ent-20260423-p2a023000001
• Type: mechanism
• Scope: private
• Status: active

Description

When allowedTools is explicitly provided to runAgent(), SDK-level permissions from --allowedTools are preserved (apply to all agents) but session-level rules are replaced by the subagent's declared allowedTools. Without explicit allowedTools the parent's session-level rules are inherited.

Key claims

• Subagent allowedTools creates two-tier permission scoping

Relations

• Two-Tier Subagent Permission Scoping --[depends_on]--> 12 Boring Primitives Framework

Sources

src-20260423-0cff68d3291b